IoT TLS: Why It Is HardDavid Brown

What is IoT“The internet of things, or IoT, is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.”

— TechTarget

5 Worst Examples● The Mirai Botnet● The Hackable Cardiac Devices from St. Jude● The Owlet WiFi Baby Heart Monitor Vulnerabilities● The TRENDnet Webcam Hack● The Jeep Hack

“IoT Security is not Interesting”

— James MickensHarvard University,Associate Professor,Authority on All Things

“TLS is the only good thing we have”

— James MickensHarvard University,Associate Professor,Authority on All Things

Raspberry Pi● Memory: GBs● Flash: GBs● CPU: GHz

Tiny devices● Memory: 10s KB● Flash: 100s KB● CPU: 10s MHz

Middle Devices● Memory: 100s Kb● Flash: 1Mb● CPU: 10-100 MHz

How Does TLS?

TLS Handshake

Handshake Requirements● Ciphersuite agreement● Verification of certificate, not optional

“TLS done incorrectly is worse than not using it at all. At least with no TLS you know that the communication is insecure.” — hallway talk at ICMC18

Implementation Requirements● Memory● Time● Randomness

Traditional TLS API

Improving Layering● Stream abstraction

○ Common in higher level languages○ Same API for TLS and non-TLS

● Put under Socket API○ Not really done in Linux (really, not done in Linux)○ Keeps same API○ The layering is wrong, though

Zephyr’s Approach● Second approach● Already offloading support, including one that has TLS● Abstractions are “scary”

API Mismatch

Where are we now?● Video of a demo?● Zephyr network API changes● JWT, time, MQTT